airflow-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <>
Subject [CVE-2019-12417] Apache Airflow stored xss and local file disclosure vulnerability <= 1.10.5
Date Wed, 30 Oct 2019 09:06:24 GMT
CVE-2019-12417: Stored XSS and Local File Disclosure vulnerability 

  Versions Affected:
  <= 1.10.5

    A malicious admin user could edit the state of objects in the Airflow metadata database
to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure
vulnerability to any file readable by the webserver process.

    Thanks to Pawel.Kurylowicz (of, and Frantisek Uhrecky and Marek Takac (both
of for all independently reporting this vulnerability. 
Apache Airflow PMC member
View raw message